API Management and Security
This Leadership Compass provides an overview of the market for API management and security solutions along with recommendations and guidance for finding the products which address your requirements most efficiently. We examine the complexity and breadth of the challenges to discover, monitor, and secure all APIs within your enterprise and identify the vendors, their products, services, and innovative approaches towards implementing consistent governance and security along the whole API lifecycle.
1 Introduction / Executive Summary
From what used to be a purely technical concept created to make developers' lives easier, Application Programming Interfaces (APIs) have evolved into one of the foundations of modern digital business. Today, APIs can be found everywhere – at homes and in mobile devices, in corporate networks and in the cloud, even in industrial environments, to say nothing about the Internet of Things.
As companies are struggling to maintain their business agility, to react to the ever-changing market demands and technology landscapes, the need to deliver a new application or service to customers as quickly as possible often trumps all other considerations. Rapidly growing demand for exposing and consuming APIs, which enables organizations to create new business models and connect with partners and customers, has tipped the industry towards adopting lightweight RESTful APIs, which are commonly used today.
The rapid adoption of REST APIs also coincided with the exponential growth of cloud computing and mobile device proliferation, where they were the perfect medium to enable integrations between these heterogeneous systems and facilitate data exchange on a massive scale. In a world where digital information is one of the "crown jewels" of many modern businesses (and even the primary source of revenue for some), APIs are now powering the logistics of delivering digital products to partners and customers. Almost every software product or cloud service now comes with a set of APIs for management, integration, monitoring, or a multitude of other purposes.
When the previous edition of our Leadership Compass was published in 2019, our research indicated the growing awareness of the critical role of security in API management solutions, representing a massive change since our first edition back in 2015. Fast forward 18 months and we can clearly see that the tempo of the API market evolution is only increasing.
Perhaps the most notable trend is the rapid expansion of the scope of both modern API management and API security solutions. Nowadays, API gateways for publishing REST API endpoints can certainly already be considered "legacy products". New API technologies, like GraphQL or gRPC, have grown from research projects into widely adopted solutions for specific use cases, where they provide much better flexibility or performance than REST APIs. Modern loosely coupled cloud-native application architectures demand API management solutions that can handle complicated traffic patterns and deal with ephemeral container-based infrastructures.
These trends not only reshape the basic capabilities of modern API management platforms (for example, enforcing API quotas with rate limiting simply does not work for GraphQL APIs, where requests to the same endpoint can vary in size and complexity), they redefine the scope of API security solutions as well. In a sense, we can already observe the same developments within API security that we've seen on a larger scale for cybersecurity as a whole: with too many different types of infrastructure that need protecting, the overall complexity of security solutions grows exponentially.
Some vendors are already promoting alternative approaches towards API security, which are more data-centric and proactive in nature than traditional infrastructure monitoring and security analytics. This might sound controversial, but one potential scenario for the future development of the API security market is that it will evolve into multiple specialized types of security capabilities which will be integrated with other existing areas of cybersecurity – for example, into XDR security analytics platforms or integrated data protection or application security solutions.
Because of these ongoing developments, some of the ratings presented in this Leadership Compass might deviate somewhat from the previous edition. This by no means indicates that some of the solutions covered in our rating have suddenly become less functionally capable – it is the market that has evolved, and some of the existing capabilities simply no longer align with the modern requirements. We will, of course, continue to follow the latest developments in the field of API security in our future publications as well.
In the meantime, our general recommendation for customers remains the same: both API management and API security should not be considered as standalone, isolated components of your IT infrastructures. On the contrary, choosing the right product should be a part of a comprehensive strategy that covers such aspects as application development and operations, data protection, and regulatory compliance.
Only by combining proactive application security measures for developers with continuous activity monitoring and deep API-specific threat analysis for operations teams and smart, risk-based, and actionable automation for security analysts one can ensure consistent management, governance, and security of corporate APIs and thus the continuity of business processes depending on them.
- Both API management and API security market segments continue to evolve and grow, driven by a massive increase in API adoption, as well as by an ongoing pressure of security and compliance risks APIs are exposed to.
- The tempo of the API evolution continues to increase, with multiple new standards, protocols and architectures emerging, expanding the scope for API management solutions beyond just the traditional REST APIs.
- Fueled by widely publicized large-scale data breaches and new compliance regulations in various industries, the overall awareness of API security risks and challenges continues to rise.
- With standard API management capabilities quickly becoming a commodity, vendors specializing in these solutions are focusing on increasing their functional coverage to address new business requirements, involve new stakeholders, and improve productivity for developers.
- Some vendors no longer consider API management a standalone market, offering these functions as a part of larger enterprise integration platforms.
- API discovery and security monitoring solutions continue to be the most popular class of products offered on the API security market, but solutions addressing other phases of the API lifecycle are growing in popularity.
- The market consolidation trend continues, with larger established vendors acquiring small innovative startups, integrating their technologies into more comprehensive, unified security platforms.
- The notion of data-centric security that incorporates API security as one of the major layers in an integrated, layered architecture is emerging, with several vendors already offering such integrated platforms.
- The overall leaders in the API management and security market are (in alphabetical order): 42Crunch, Axway, Broadcom, Curity, Forum Systems, Google Apigee, Imperva, Red Hat, Sensedia, and WSO2.
1.2 Market Segment
We have long recognized the API Economy as one of the most important current IT trends. Rapidly growing demand for exposing and consuming APIs, which enables organizations to create new business models and connect with partners and customers, has tipped the industry towards adopting lightweight RESTful APIs, which are commonly used today, along with the growing variety of alternative protocols and standards.
Unfortunately, many organizations tend to underestimate the potential security challenges of opening up their APIs without a security strategy and infrastructure in place. Such popular emerging technologies as the Internet of Things or Software Defined Computing Infrastructure (SDCI), which rely significantly on API ecosystems, are also bringing new security challenges with them. New distributed application architectures like those based on microservices are introducing their own share of technical and business problems as well.
Creating a well-planned strategy and reliable infrastructure to expose their business functionality to be consumed by partners, customers, and developers is a significant challenge that has to be addressed not just at the gateway level, but along the whole information chain from backend systems to endpoint applications.
It is therefore obvious that point solutions addressing specific links in this chain are not viable in the long term, and KuppingerCole's analysis is primarily looking at integrated API management platforms, but with a strong focus on security features either embedded directly into these solutions or provided by specialized third-party tools closely integrated with them.
When the previous edition of the Leadership Compass on API security was published, the industry was still in a rather early emerging stage, with most large vendors focusing primarily on operational capabilities, with very rudimentary threat protection functions built into API management platforms and dedicated API security solutions almost non-existent. In just a few years, the market has changed dramatically.
On one hand, the core API management capabilities are quickly becoming almost a commodity, with, for example, every cloud service provider offering at least some basic API gateway functionality built into their cloud platforms utilizing their native identity management, monitoring, and analytics capabilities. Enterprise-focused API management vendors are therefore looking into expanding the coverage of their solutions to address new business, security, or compliance challenges. Some, more future-minded vendors are even no longer considering API management a separate discipline within IT and offer their existing tools as a part of larger enterprise integration platforms.
On the other hand, the growing awareness of the general public about API security challenges has dramatically increased the demand for specialized tools for securing existing APIs. This has led to the emergence of numerous security-focused startups, offering their innovative solutions, usually within a single area of the API security discipline.
Unfortunately, as the diagram below illustrates, the field of API security is very broad and complicated, and very few (if any) vendors are currently capable of delivering a comprehensive security solution that could cover all required functional areas. Although the market consolidation continues, with larger vendors acquiring these startups and incorporating their technologies into existing products, expecting to find a "one-stop shop" for API security is still a bit premature.
Although the current state of API management and security market is radically different from the situation just a few years ago, and the overall developments are extremely positive, indicating growing demand for more universal and convenient tools and increasing quality of available solutions, it has yet to reach anything resembling the stage of maturity.
Thus, it's even more important for companies developing their API strategies to be aware of the current developments and to look for solutions that implement the required capabilities and integrate well with other existing tools and processes.
1.3 Delivery Models
Since most of the solutions covered in our rating are designed to provide management and protection for APIs regardless of where they are deployed – on-premises, in any cloud, or within containerized or serverless environments – the very notion of the delivery model becomes complicated.
Most API management platforms are designed to be loosely coupled, flexible, scalable, and environment-agnostic, with a goal to provide consistent functional coverage for all types of APIs and other services. While the gateway-based deployment model remains the most widespread, with API gateways deployed either closer to existing backends or API consumers, modern application architectures may require alternative deployment scenarios like service meshes for microservices.
Dedicated API security solutions that rely on real-time monitoring and analytics may be deployed either in-line, intercepting API traffic, or rely on out-of-band communications with API management platforms. However, management consoles, developer portals, analytics platforms, and many other components are usually deployed in the cloud to enable a single pane of glass view across heterogeneous deployments. A growing number of additional capabilities are now being offered as Software-as-a-Service with consumption-based licensing.
In short, for a comprehensive API management and security architecture, a hybrid deployment model is the only flexible and future-proof option. Still, for highly sensitive or regulated environments customers may opt for a fully on-premises deployment.
1.4 Required Capabilities
We are looking for solutions that cover at least several of the following key functional areas, either focusing on more traditional API management or specializing in securing existing APIs (ideally, combining both approaches in a single integrated platform).
API Design – these functions cover the earliest stages of the API lifecycle such as API contract design, transformation of existing APIs, or modernization of legacy backend services, as well as creating and managing policies that govern API performance, availability, and security.
API Productization and Monetization - converting existing APIs into revenue streams requires the functionality to package multiple APIs into convenient business-oriented products, making them available for tiered consumption according to various monetization plans. Additionally, monetization requires comprehensive reporting capabilities and billing management.
Microservice Management - traditional API gateways do not scale well for modern distributed architectures and must be augmented with modern service management capabilities such as the Istio service mesh, which provides native connectivity, monitoring, and security that scale for hundreds and thousands of microservices.
Developer Portal and Tools - exposing APIs for consumption, providing documentation and collaboration functions, onboarding and managing developers and their apps are among the functions we are looking for here, DevOps and DevSecOps integrations included.
Identity and Access Control - supporting multiple identity types, standards, protocols, and tokens and providing flexible dynamic access control that is capable of making runtime context-based decisions. This does not only apply to the APIs themselves but management interfaces and developer tools as well.
API Vulnerability Management - discovering existing APIs and analyzing their conformance to API contracts, security best practices, and corporate policies is the only truly proactive approach towards API security. Intelligent prioritization of discovered vulnerabilities by business risk assessment improves both developer productivity and overall security posture.
Analytics and Security Intelligence - continuous visibility and monitoring of all API transactions and administrative activities allow for quick detection of not just external attacks, but infrastructure changes, misconfigurations, insider threats, and other suspicious activities.
Integrity and Threat Protection - securing APIs and services from hacker attacks and other threats requires a multilayered approach to address both transport-level attacks and exploits specific to messaging protocols and data formats.
Strong Internal Security - administrative and developer access to the management console must be secured, with role-based access control implemented across the whole platform and delegated administration capabilities added for scalability and decentralization. Multi-factor authentication and audit trail for all activities are recommended.
Scalability and Performance - maintaining continuous availability of the enterprise services even under high load or a denial-of-service attack is the most crucial requirement for an API infrastructure. A modern API management solution should also address the challenges of lightweight distributed architectures.
A strong focus is put on integration into existing security infrastructures to provide consolidated monitoring, analytics, governance, or compliance across multiple types of information stores and applications.
Naturally, an API management solution also needs to provide its own set of APIs.
Some additional functional capabilities for this Leadership Compass include:
- supporting multiple types of identities, authentication protocols, and tokens.
- providing dynamic access control that goes beyond static roles.
- securing interfaces against hacker attacks and other threats.
- addressing government and industry-specific compliance issues.
- ensuring continued availability and performance of the services.
- supporting heterogeneous distributed environments including cloud, containers, microservices, and serverless platforms.
The following are our standard criteria against which we evaluate products and services:
- overall functionality and usability
- internal service security
- size of the company
- number of customers and end-user consumers
- number of developers
- partner ecosystem
- licensing models
Each of the features and criteria listed above will be considered in the product evaluations below.